Yahoo still scans your emails for ads — even if its rivals won’t

A deep dive in The Wall Street Journal on Tuesday dug out new details on a massive email scanning operation by Oath, the Verizon-owned subsidiary that’s the combined business of AOL and Yahoo. The email-scanning program analyzes over 200 million AOL and Yahoo inboxes for data that can be sold to advertisers. (Disclosure: TechCrunch is owned by Verizon by way of Oath.)

The logic goes that by learning about its users, the internet giant can hone its ad-targeting effort to display the most relevant ads.

But where other major email providers have bailed from email scanning amid privacy scandals and security issues, Oath remains the outlier.

Google ended its ad-targeting email-scanning operation across its consumer Gmail service last year — a decision lauded after facing criticism for years over the practice — though the company still uses machine learning to help you reply to emails. Meanwhile, Microsoft told TechCrunch in a statement that it does “not use email content for ad targeting in any way, anywhere in Microsoft.” And Apple has never scanned its customers’ inboxes for advertising, though its privacy policy says it can access your data for law enforcement purposes or for more vague reasons like “issues of public importance.”

So it’s basically just Oath, then.

Scanning the inboxes of its hundreds of millions of email users is a gutsy move for the year-old internet giant, which prior to its rebranding was responsible for two data breaches at Yahoo exposing more than thee billion users’ data and a separate breach at AOL in 2014. Yahoo reportedly built a secret customer email-scanning tool at the behest of the U.S. intelligence community, which led to the departure of former Yahoo infosec chief Alex Stamos, who until recently was Facebook’s chief security officer.

Although the email scanning program isn’t new — announced earlier this year — it does go deeper than Gmail’s scanning ever did.

“Yahoo mined users’ emails in part to discover products they bought through receipts from e-commerce companies such as Amazon.com,” said the WSJ. “In 2015, Amazon stopped including full itemized receipts in the emails it sends customers, partly because the company didn’t want Yahoo and others gathering that data for their own use.”

Although some content is excluded from the scanning — such as health and medical information — it remains to be seen how (or even if) Oath can exclude other kinds of sensitive data from its customers’ inboxes, like bank transfers and stock receipts.

TechCrunch asked Oath and its parent Verizon about what assurances they could provide that confidential emails and information won’t be collected or used in any way. We also asked how consent was obtained from users in Europe, where data protection rules under the newly implemented GDPR regulations are stricter.

Neither Verizon or Oath responded by our deadline.

It should go without saying that email isn’t the most sensitive or secure communications medium, and inboxes should never be assumed to be private — not least from law enforcement and the companies themselves.